A friend of mine called me for advice yesterday. He had just gotten hit hard by ransomware.If you\u2019ve been keeping up with the news lately, you\u2019ve probably heard about the explosion of the ransomware strain known as Locky. Locky is a very aggressive type of malware that encrypts files on a victim\u2019s computers and crawls through network shares that are accessible to the victim. It is typically delivered by macros inside of Microsoft Word documents sent through email. When recipients open the Word document, they are prompted to enable macros, and when they do, the ransomware embedded in the macro executes and infects the victim\u2019s computer.This is what happened to my colleague, who works for another company. So far, we\u2019ve escaped Locky at my company, but I\u2019ve had my own experiences with ransomware, and I\u2019d rather be the one giving advice on how to deal with it than the one who has to clean up the mess. And because of my own experience, I was able to give some helpful advice to my friend.My first question to him was, \u201cWhat is the current situation?\u201d About 75% of the documents and important files on his company\u2019s computers and file shares had been replaced by ones with \u201c.locky\u201d extensions. (His team had turned off the majority of end-user PCs to stop the spread of the infection). There was a text file in the affected folders with instructions to pay a ransom of half a bitcoin to purchase the decryption key, along with instructions about where to go to do so.My second question was, \u201cCan you restore the files from backup?\u201d This is what I did in my own ransomware situation last year, and it was effective. I just deleted all the encrypted files and restored them from backup, making sure the source of the infection was neutralized, and never looked back. My friend was not so lucky. Files stored on the network storage system were backed up every week, so there wouldn\u2019t be too much data lost, but restoring them would take about 36 hours. And most employees of his company had been saving important files locally to their My Documents and Desktop folders, where they were not backed up, and they insisted that getting those files back was essential to business.At this point, you probably have the same thought that I and my friend had: Just pay the ransom. Half a bitcoin, at today\u2019s exchange rate, is just under $210. Assuming that the criminals are honest and provide the decryption key as promised, they should get their files back. I don\u2019t yet know how this will work out \u2014 he purchased the bitcoin and sent the payment but hasn\u2019t yet heard back from the Locky operators. I hope he doesn\u2019t have to call their help desk \u2014 I can\u2019t imagine what that conversation would be like.I asked about the source of the infection. After all, there\u2019s little point in decrypting the files if the malware is still active. It may end up re-encrypting the files, putting him back to square one. But in their haste to stop the infection, they turned off most of the computers and hadn\u2019t yet determined which one was doing the encrypting. I advised him to bring in a professional forensics malware specialist at this point, which he agreed to. In this situation, you want to be 100% sure you contain the situation.I figure that, given the amount of time required to encrypt so many files, the malware must have been active for over a day. It probably started doing its nasty work in the late afternoon the day before, and everyone went home without noticing that files were being gobbled up. Hopefully, the decryption process will take less than a day. In the meantime, the forensics team can eliminate the infection. If it were me, I would probably throw away all the end-user computers and buy new ones!I also advised my colleague to block macro-enabled Word (and Excel and PowerPoint) documents from being delivered in email, and I would advise you to do this as well. I have never seen anybody send a legitimate Office document containing a macro from outside a company. Sure, they might be used internally occasionally, but I think the odds of such documents that originate from outside being work-related are nil. And trust me, you don\u2019t want to get Locky.This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at\email@example.com.Join inClick\u00a0here\u00a0for more security articles.